Beware of IPv6 security goblins, IETF warns

With World IPv6 Day just six weeks away, security consultants are once again warning that networks transitioning to the Internet's next-generation addressing scheme face serious risks unless they modify their defenses to accommodate the changes.

In a draft proposal filed Tuesday with the Internet Engineering Task Force, a security consultant warned that IPv6 traffic is often able to bypass firewalls, intrusion detection systems, and other security protections. With the majority of end-user devices now speaking the new language by default, their use may have serious unintended consequences.

"Most general-purpose operating systems implement and enable by default native IPv6 support and a number of transition-co-existence technologies," Fernando Gont of the UK Centre for the Protection of National Infrastructure wrote. "In those cases in which such devices are deployed on networks that are assumed to be IPv4-only, the aforementioned technologies could be leveraged by local or remote attackers for a number of (illegitimate) purposes."

The draft was published six weeks before the 2012 World IPv6 Day, scheduled for June 6. The aim of the campaign is to raise awareness of the new protocol, which will offer a virtually unlimited supply of IP addresses as well as improved efficiency and security in the way data is delivered from one endpoint to another. But the transition is fraught with risks for network administrators who don't ensure that transition extends to their defenses as well.

Of particular concern are technologies such as link-local IPv6 connectivity, 6over4 Neighbor Discovery, and various tunneling mechanisms, which are all used to help networks carry both IPv4 and IPv6 traffic. The draft also singles out a tunneling technology called Teredo that's built into various operating systems, including Microsoft Windows. Unless specific changes are made, networks that use these technologies are vulnerable to remotely-exploited buffer overflow attacks and exploits that allow hackers to impersonate a local router.

Gont's paper, which is titled Security Implications of IPv6 on IPv4 Networks, provides links to a wealth of resources for ensuring that sensitive network resources remain isolated from IPv6 traffic.

At present I've got IPv6 turned off. The gurus of IP were previously warning all the children (me included) to turn off IPv6 if my ISP wasn't using it. I guess what I'll do is when I can't get to Google, or Yahoo cause they've gone IPv6, then I'll turn it back on because my ISP (Atee&Tee) seems to have buried its head in the sand and not said anything about it.

Good to raise awareness but at this point we just need to get on with it. Not like this hasn't been coming for a decade, but a lot of vendors have dragged their feet as much as possible and would continue to do so indefinitely if we don't just bite the bullet and force the issue. It's regrettable that there will probably have to be some actual incidents before everyone gets on board but so it goes.

If you have complete IPv6 connectivity, through a tunnel or a supporting ISP (if there are any, since there's not that much point yet), and on your local network... does that mean that devices on your network are wide open to the internet by default?To me, port forwarding through 1 IP address (be it a v4 or v6 address) sounds like a more secure default for regular human home users.

What I mean is with IPv6 is it by design that all local devices on a LAN would be accessible from the internet? And that you'd have to put special measures in place to prevent that?

Is this why Apple doesn't have IPv6 in the latest Airport Extreme software update?

It's probably more a matter of Apple's legal department trying to figure out just who to sue because someone had the balls to name something starting with the letter 'i'.Or Apple is just cooking up their own inclusive protocol, and just to follow up on Microsoft's confusing Windows RT <<<>>> WinRT fubar, Apple will name it's release iPv6.

Is this why Apple doesn't have IPv6 in the latest Airport Extreme software update?

There's two Airport Extreme management clients latest updates. 4.0 for the dead simple "I just want it working", which only has IPv4, and 3.6, which has everything. It effectively split into two branches, 3.5 upgraded to 4.0, and 3.6 made available separately after...

The routers themselves have nothing changed as regards IPv6 in their 7.6.1 update. If it did, I'd certainly be surprised, as I have more trouble with an Billion 7800 getting confused over it's IPv6 setup than the Airport Extreme.

If you have complete IPv6 connectivity, through a tunnel or a supporting ISP (if there are any, since there's not that much point yet), and on your local network... does that mean that devices on your network are wide open to the internet by default?To me, port forwarding through 1 IP address (be it a v4 or v6 address) sounds like a more secure default for regular human home users.

What I mean is with IPv6 is it by design that all local devices on a LAN would be accessible from the internet? And that you'd have to put special measures in place to prevent that?

Only if you're not using a firewall on your router... you don't need to port forward everything through one address for the firewall to do its job.